Office of Consumer Affairs and Business Regulation

My name is Tami Salmon and I am pleased to be here today representing the mutual fund members of the Investment Company Institute. The Institute is the national association of the U.S. mutual fund industry. Members of the Institute operate in all 50 states, as well as internationally; they manage total assets of over $11 trillion; and they serve over almost 93 million shareholders. Approximately half of the households in the Commonwealth own at least one mutual fund and these shareholders account for approximately $290 billion in mutual fund assets. Massachusetts remains the epicenter of the mutual fund industry with Massachusetts investment companies managing $2.4 trillion in assets, or 21% of the total industry assets. Importantly, these companies are also large employers in the Commonwealth, employing over 33,000 persons, or approximately 20% of the total employees in the industry. It is because of the importance of the Commonwealth to the mutual fund industry that I am here today.

Since the Data Standards were first published for comment, the Institute has sought to have them revised to more effectively fulfill their intent of protecting nonpublic personal information in a way that complements existing and evolving Federal laws, while avoiding unnecessary conflict with those laws.

As I have testified previously, mutual funds have long taken seriously their obligation to protect the confidentiality and integrity of the information they maintain on all consumers – not just Massachusetts residents. This obligation derives not only from requirements imposed on us under Federal law, but on each fund’s interest in protecting its brand image. Our industry depends on investors’ trust to survive and an important component of that trust is protecting the confidentiality, security, and integrity of shareholders’ information, regardless of where that shareholder may reside. It is for this reason that our members have spent tens of millions of dollars on their information security systems and why they continue to revise them to ensure they address new and emerging vulnerabilities and threats.

While we support strong protection of shareholder data, we strongly oppose prescriptive mandates that focus on the means, and not the end result. We believe our members are in the best position to know their businesses, their vulnerabilities, the sensitivity of their data, and the most effective way to protect that information.

From the day the Massachusetts rules were originally published for comment, we believed that they would impose significant and counterproductive impediments to the efforts of mutual funds to protect consumer information. We expressed our concerns in numerous letters to the Office of Consumer Affairs, through meetings with Agency personnel, and through testimony provided both to the Agency and to the Legislature.

Our concerns with the original rules were four-fold. First and foremost among them was the fact that the rules were overly prescriptive. Second, we were concerned that they exceeded the Agency’s statutory authority. Third, we believed they impeded interstate commerce. And fourth, they appeared to impermissibly subject the Commonwealth’s sister states to the Commonwealth’s regulatory requirements and enforcement authority.

Today, I am pleased to be here to testify in support of the Agency’s proposal to revise the rules and to urge their adoption with two minor amendments. We support their adoption because they address most of our concerns with the original rules and they provide greater flexibility to businesses. In our view, the proposed revisions will enable businesses, including mutual fund companies, to better safeguard consumer information and, as a result, they will enhance the protection of data.

The original version of the rules was prescriptive and lacked flexibility; those rules were static, difficult and costly to implement, and, ironically, less effective than intended. Under them, the size, complexities, vulnerabilities, and sensitivities of personal data held by businesses became irrelevant. That version required every business to protect data in the same way. So, for example, Antonio’s Pizza Parlor with a few hundred customers and limited customer information would have to protect its information the same way that the largest mutual fund company with hundreds of thousands of shareholders and volumes of sensitive personal information must protect its shareholders’ and employees’ information.

Not only do we believe that it makes no sense to subject a pizza parlor and a mutual fund company to identical data security requirements, we believe such an approach to data security is contrary to the language of the authorizing statute. This statute, Chapter 93H, expressly requires the rules to both be consistent with any applicable federal regulations and take into account the particular business’ size, scope and type of business, its resources, the amount of data it stores, and the need for security and confidentiality of both consumer and employee information. By including this language in the statute, it appears the Legislature was attempting to avoid the implementing rules taking a “one-size-fits-all” approach to data security. And yet, the original rules did take this approach. Not only was the “one-size-fits-all” approach contrary to Chapter 93H, it was also contrary to the approach taken by the Federal government to data security, which is the framework under which mutual funds and other financial institutions have designed their security systems.

The current proposal builds flexibility into the rules, which avoids subjecting all businesses to the same security template. It does so by requiring each business to have a comprehensive information security program that is tailored to the particular business’ size, scope and type of business, it available resources, its amount of stored data, and the need for security and confidentiality of its consumer and employee information. We strongly support building these factors and flexibility into the rules and enabling each business to design the security system that best meets its needs and vulnerabilities.

Another concern we have continuously expressed relates to the rule’s provision applicable to third-party service providers. This provision imposed contractual requirements that are inconsistent with those that mutual funds and other financial institutions are subject to under Federal law. Compliance with Massachusetts’ requirements would have been particularly burdensome for mutual funds because of the unique nature of our business. Unlike most businesses and operating companies, mutual funds have no employees. Instead, all the functions the public typically associates with a mutual fund company—the ability of investors to buy and sell mutual fund shares, the investment of their monies by the mutual fund company, the maintenance of their accounts records, etc.—are not handled by the mutual fund per se, but by third-party service providers under contract to the fund. To impose new terms on each of these contracts – which would literally impact thousands of contracts – would have been a very costly, time-consuming, and significant burden that, at the end of the day, would not have resulted in any greater protection of shareholder data than currently exist under Federal law.

The proposed rules resolve this issue for mutual funds and other Federally-registered financial institutions by tracking the contractual duties imposed on us under Federal law. As such, under the revised rules, businesses will continue to have a duty to ensure that their third-party service providers protect shareholder information, but now they will be able to so in a manner that is consistent with requirements imposed under Federal law, as required by Chapter 93H.

I am very pleased to be here today to support these proposed revisions because I believe they address the concerns we have been expressing since the rules were first proposed. I want to emphasize that, by revising the rules to provide greater flexibility and greater consistency with Federal data security requirements as required by Chapter 93H, the proposed rules in no way diminish the protection and security of Massachusetts residents’ personal data. In our view, the new rules will actually provide stronger protections by enabling each business to tailor its comprehensive information security program to its individual security needs and vulnerabilities.

As I mentioned earlier in my testimony today, notwithstanding our support for the proposed revisions, there are two additional revisions we recommend to better conform the proposal to the requirements of Chapter 93H. Both of these relate to definitions in Rule 17.02

Our first recommendation relates to the definition of “owns or licenses” in Rule 17.02, which is a newly proposed addition to the rules. Chapter 93H expressly charged the Agency with adopting regulations that apply “to any person that owns or licenses personal information about a resident of the Commonwealth.” The proposed definition, however, would extend the rules’ reach far beyond those persons that own or license information. Instead, they would sweep in any person who “receives, maintains, processes, or otherwise has access to personal information.” Not only will this very broad definition expand the rules beyond the Legislature’s intent, it seems to override and nullify the provisions in Rule 17.03(f), which require businesses to oversee their third-party services providers and ensure that such service providers “implement and maintain appropriate security measures.” If every person that receives and processes personal information is independently subject to the rules – as this definition seems to imply – the provisions in Rule 17.03 relating to third-party service providers would never come into play. We do not believe, based on the Agency’s explanation of its proposed revisions, that this was the Agency’s intent in adding a definition and we recommend that the definition be deleted to resolve the inconsistency between the rules’ substance and this definition. Deleting the definition will result in the terms “owns” and “licenses” being construed in accordance with their plain meaning, which is both appropriate and in conformity with the Agency’s authority under Chapter 93H.

The second revision is to the definition of “person.” As I mentioned earlier in my testimony, one of our concerns with the previous version of the rules is their impact on Massachusetts’ sister states. It is not uncommon for another state’s revenue department or 529 plan administrator to acquire information about Massachusetts residents who either owe money to such state or invest in such state’s 529 education savings plan. We do not believe that either the Legislature or the Agency intended to subject state governments that obtain such information to the rules. However, nothing in either the original or proposed versions carves them out. To address this, we recommend that the exclusion in the definition of “person” for the Commonwealth and its subdivisions be expanded to include all State Governments and their subdivisions.

I will be happy to provide you or your staff any additional information you need regarding these recommendations.

In closing, I would very much like to express the appreciation of all mutual fund companies – not just those located here in Boston – to the Agency’s willingness to listen to, understand, and address the very serious concerns our industry had with the original version of the rules. I would particularly like to thank Undersecretary Anthony and General Counsel David Murray, who have been instrumental to this process. While we recommend two minor changes to the rules’ definitions, we support their adoption and appreciate having the opportunity to testify today. We believe that the proposed rules will significantly improve the ability of the business community to protect the privacy interests of Massachusetts residents.